> On Apr 18, 2018, at 8:20 AM, Sriram, Kotikalapudi (Fed) > <[email protected]> wrote: >> Let me mention that I think the WG should also consider potential use of >> RPKI as a complementary mechanism to improve uRPF. Namely, if there is an >> ROA for the prefix-origin pair, it should be allowed (even if the >> (enhanced/preferred)uRPF check fails. In a future (fantasy?) where RPKI is > > I agree with you here. When you say, "if there is an > ROA for the prefix-origin pair, it should be allowed", I think you mean > ROA for prefix-origin pair with origin AS in the ISP's customer cone. > What you propose can be done even in partial deployment of RPKI, > of course not stand alone but for augmenting the RPF lists > constructed with the methods proposed in the draft.
It's worth emphasizing that an indirect part of the proposal in the draft is that RPF filters may be augmented from secondary sources. The fact we've chosen BGP routes that aren't necessarily active in forwarding is one good example of it. The main operational headache of any secondary seeding of the filters though is the maintenance of their source. Both BGP and RPKI provide a distributed way such things can be maintained. Observant and old-enough readers will also be reminded of the "issues" that AOL used to have where your routes weren't used if they weren't properly registered. -- Jeff _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
